Recent Mass SQL Injection Payload Analysis

There have been a number of mass SQL Injection campaigns targeting ASP/ASP.Net/MS-SQL sites over the past few months. While there have been a number of stories, sites and blogs that analyze the the injected JS script tags into the infected sites and their subsequent redirections to browser exploit kits such as Nuclear, Blackhole or Phoenix, what has been severely lacking is any details about how these web sites were initially infected.

Mass SQL Injection Payloads

SpiderLabs Research has obtained the following attack payloads that recently targeted a Microsoft IIS web server (ASP/ASP.Net/CFM/MS-SQL).

These attacks attempted to modify various title data (Categories, Content and Homepage) in the hopes of injecting JS pointers to offsite content. The payloads are obscured by use of the char() function and use cast() to modify or REPLACE content. If we decoded the char() data to normal ASCII text we get the following data:

These web servers are still active however the r.php scripts are now removed. These were either redirectors to other active exploit kits or the exploit kits themselves.

Mitigation Options

Positive Security Input Validation

The web application should be validating client input against a postive security model that only allows data that meets expected criteria such as length limits, character sets and formats. In the cases of mass SQL Injection, the vast majority of attack vectors are parameters that are only supposed to be integers. It is very simple to only allow numeric characters for specified parameter payloads. We show how to do this with the OWASP ModSecurity Core Rule Set and its new learning/profiling rules using the Lua API.

Negative Security Filtering

If these web sites were front-ended by an Apache reverse proxy server (with ModSecurity and the OWASP ModSecurity Core Rule Set) then the back-end IIS/MS SQL application servers would have been protected against this attack. There are a number of different SQL Injection attack rules that are triggered when these payloads are sent against a site protected with ModSecurity and the CRS: